Global Information Assurance Certification Paper
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission. Interested in learning more? Check out the list of upcoming events offering "Security Essentials Bootcamp Style (Security 401)" at http://www.giac.org/registration/gsec
Eric Hansen GSEC_Practical_version 1.2F Internal SLA (Service Level Agreements) for Information Security Overview Information security typically suffers due to a lack of serious commitment by an organization on the prevention side of security breaches. Many systems are compromised even after patches or s. hotfixes have been publicized. The premise of this must be to understand the relationship ht between the information technology (IT) team and the information security (IS) team. The rig information security team must view themselves as customers of the information technology team. The IS teams must also see that their activities are common elements within the IT teams ull service to the enterprise. IS’ three legged stool of Confidentiality, Integrity and Availability f certainly coincides with IT’s Total Cost of Ownership (TCO) and Quality of Service (QoS) ins initiatives. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 eta Reactive versus Proactive rr The purpose of this paper is to advocate for the establishment of internal SLAs between the Information Technology team and the Information Security team. Internal SLAs should be ho established for the following reasons: A ut Security prevention becomes institutionalized within the organization. Information security remains a relatively immature discipline within most organizations. 5, Incorporating IS into business processes that other departments or teams engage in is always 00 beneficial. The advantage to the SLA approach is that emphasis is placed on substantive analysis -2 of deficiencies so servers, workstations, desktops, and laptops are configured securely prior to deployment into the field. 00 20 Staff can be evaluated on their security skill set. To aid the CIO in fully developing her staff, this process instigates a more complete evaluation of te the staff to see if they can fully support the details of the SLA. tu sti Training can be planned to enhance security skills. This may be considered as a sub-component of the item above, however, it has a somewhat In different angle because it puts the emphasis back on the IS team. For example, the IS team needs NS to determine if in-house or external training is needed or better clarification on policy or procedural issues. SA Processes are established for resolving security deficiencies on a regular basis. © The IT organization “fights fires” all the time and unless there is a formal process designated, implementing mundane patches prior to a contingency may be pushed to the bottom of the queue. Allocation of staff time Key fingerprint can FA27 = AF19 better2F94 be assigned. 998D FDB5 DE3D F8B5 06E4 A169 4E46 While the IS SLAs will not cover every security related service, clear, documented expectations allow IT managers to better plan their resources. This may be an example of incorporating the security resolution into a trouble ticket for a particular server. Eric_Hansen_GSEC_Practical © SANS Institute 2000 - 2005 Author retains1full rights.
Eric Hansen GSEC_Practical_version 1.2F Allocation of fiscal resources for the amount of security the organization determines it needs. This process presents a clearer, though not complete, picture of the commitment needed by the organization to fulfill its stated IS obligations. What are SLAs? s. Service Level Agreements (SLAs) may come in a variety of forms. These can range from internal ht agreements between departments or vendor to client agreements. Service Level Agreements for rig internal entities are also referred to as Service Level Requirements (SLRs). For this paper, SLA and SLR will maintain similar meanings and will be referenced by SLA. The SLA is an ull agreement between a perceived service provider and a perceived customer. The flavor of the f agreement depends entirely on the parties involved. SLAs address the following fundamental ins questions: what is delivered; where is it delivered; when is it delivered? Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 eta In this type of arrangement, the IS team decides what it believes are the most important elements rr of the program to monitor. If a risk analysis was conducted, the results or recommendations from these reports should be used. A properly deployed defense-in-depth strategy will aid in the ho IS team’s decision on the SLAs to negotiate. The key is to assure the IT teams that the IS ut program knows exactly what it wants and how it can be fairly measured. Each organization will have different threat vectors and will need to allocate resources in different manners. A 5, There are some additional guidelines on the governance of SLAs. They should be reviewed 00 regularly and changed as needed. These agreements must also be somewhat flexible for both -2 parties without interfering with the integrity of the process. There must be some consideration for dependencies when implementing system related SLAs. One example may include a 00 maintenance contract which requires vendor notification or assistance prior to any changes made 20 on a particular server or application. Finally, while having SLAs begins the codifying process, it will require on-going management from the IS and IT teams. te tu Critical Areas for SLAs sti The information security (IS) team must define the critical areas for the establishment of SLAs with the Information Technology team. This must focus upon those areas which the IT teams In have the most profound effect and control to significantly impact the IS program. Additionally, NS the IS team needs to limit SLAs to the most critical items, otherwise the effect of these agreements is lessened. A risk analysis or a review of previous incidents may point toward the SA most critical components for a particular organization. The following topical areas should be prevalent in most instances: © Network Scanning Many IS teams conduct scans to identify vulnerabilities on the network. Identifying the problems is merely the first part of the process. The next step is to determine how the problem should be resolved. The third = Key fingerprint step is how AF19 FA27can2F94 it be998D incorporated into a F8B5 FDB5 DE3D process so that 06E4 A169it should 4E46 not arise in the future. Many organizations use commercial tools to automate the network scanning process. If ISS Internet Scanner is being used, this product will document vulnerabilities grouped into categories of High Risk, Medium Risk and Low Risk. The Help Index within the ISS Internet Scanner defines risk levels in the following manner. Eric_Hansen_GSEC_Practical © SANS Institute 2000 - 2005 Author retains2full rights.
Eric Hansen GSEC_Practical_version 1.2F High Any vulnerability that allows an attacker to gain immediate access into a machine, to gain superuser access, or to bypass a firewall. Examples include: A s. vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands ht on mail servers, installation of BackOrifice, NetBus or an Admin account rig without a password. ull Medium f References any vulnerability that provides information, degrades performance, ins or a has a high potential of giving system access to an intruder. Examples Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 include: identification of an active modem on the network, zone transfers, eta writeable FTP directories. rr Low ho References any vulnerability that provides information that could potentially ut lead to a compromise. Examples include: Floppy drive is available to all users, IE may perform insufficient SSL validation, logon and logoff auditing is not A enabled. 5, 00 A value-add to the ISS tool is that it will provide recommendations and instructions on how to fix -2 the vulnerability. In the report, the IT teams may see: 00 - Configuration changes 20 - Installation of service packs - Installation of patches te - ACL (Access Control List) changes tu - Registry edits sti - Disabling services In The single greatest benefit these recommendations provide to the IT teams is reducing the time to NS research solutions to these problems, which should equate to faster implementation. Naturally, depending upon the severity of the vulnerability, this will determine the extent of the time SA required to resolve the deficiency. For example, High vulnerabilities must be resolved within 48 hours, Medium vulnerabilities resolved within one week and Low vulnerabilities resolved within © one month. Forensics Forensics provides a wide umbrella for which many investigations can be covered. IS teams are routinely asked during Key fingerprint an investigation = AF19 FA27 2F94 what 998Dhappened, FDB5 DE3Dwhen it happened F8B5 06E4 A169and4E46 should it have happened. Conducting a forensics investigation without the benefit of log files normally results in failure. For example, law enforcement subpoenas the company for which user(s) surfed on a particular Eric_Hansen_GSEC_Practical © SANS Institute 2000 - 2005 Author retains3full rights.
Eric Hansen GSEC_Practical_version 1.2F website. In this example, the company has an Internet filtering software product but logs the user by IP address. Additionally, the company has a client/server environment using DHCP. For the IS team to fulfill (after Corporate Counsel’s approval) the request within the subpoena, it will need to match the proxy logs and the DHCP logs together. To add to the complexity, the DHCP logs are maintained at each facility within the company’s organization but use one Internet access s. point through the proxy server. Naturally, the first questions are: does the company retain the ht proxy logs and for how long. If the period in question is covered, the next set of questions are: rig does each individual site maintain the DHCP log and for how long; supplementing that question is what is the length of the reservation or lease for an IP address at each location. An added ull function is to research whether successful or failed logon and logoff attempts are being logged for f that particular user or computer. Another prime example is attempting to investigate strange ins behavior on a client without the benefit of complete logging information. Logging will normally Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 show if you have been “visited.” eta rr Therefore, SLAs pertaining to forensics may include: - Proxy logs, firewall logs, server logs, syslogs, DHCP logs, client logs ho - Length of time retained before being overwritten ut - Threshold for moving the logs to a central logging server, portable media or off-site data storage. A 5, Change & Documentation Management 00 In most situations, a well-run IT organization will normally equate to a well-managed data -2 security program. In addition to the IT teams having the appropriate skill sets, proper documentation of IT processes, equipment and resources must be keep current for a proper 00 implementation of an IS program. 20 When conducting risk assessments, network scanning or responding to contingencies or te investigative requests, a properly documented network topology is necessary. While this may tu appear a reasonable request, networks are in a constant state of change. Changes to the sti documentation is slow due to the implementation of previous changes or forthcoming changes. An example of a SLA for the network topology is that each IT team must update the network In topology on a monthly basis. NS A more detailed example is the anti-virus countermeasure program. User education and SA investigations are conducted by the IS team, however, anti-virus software is administered by the IT teams. In this example, a company uses the TrendMicro family of products. The servers use © Server Protect, the Exchange environment uses Scanmail and the clients use Office Scan. These three products may appear as only one application, however, each has its own peculiarities to be understood. Comparing and contrasting the three applications are as follows. Common documentation Key fingerprint = AF19elements are which FA27 2F94 998D network resource FDB5 DE3D has06E4 F8B5 which application, A169 4E46 interval of system scanning, and what to do with infected files (move it, delete it, quarantine it). The OfficeScan product should have how the console managers are configured; ability for users to disable/enable the product; how pattern files are updated, i.e. on-the-fly, SMS, or through a logon script. Are special considerations are made for dial-up users as they may have to force a Eric_Hansen_GSEC_Practical © SANS Institute 2000 - 2005 Author retains4full rights.
Eric Hansen GSEC_Practical_version 1.2F “manual” update of the pattern files. The ScanMail product has the option of stripping specific file types (.exe, .com, .vbs, .scr, .bat) prior to the user receiving it. ServerProtect may be installed on servers not necessarily connected to the network but still needing anti-virus support. SLA elements may include designating critical applications that should have their documentation s. reviewed on a more frequent basis than others. For instance, the anti-virus documentation may ht need updating every quarter while the ERP access roles need semi-annual review. rig Elements to address when compiling SLAs for the Change/Documentation Management area ull may include: f - changes in configurations ins - network infrastructure changes Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 - API changes eta - log of system failures and respective problem resolution rr - frequency of documentation review - detailed project description ho - responsible individuals for each document ut - written service and maintenance agreements A Data Back-ups 5, Data back-ups are the cornerstone to a strong IS program. After all is said and done, data back- 00 ups still allow a company to recover its business either fully or from some established baseline. -2 At one company, a financial database back-up was disabled to allow a back-up on the tape library in favor of a pre-production server that was testing a new software release component for the 00 production ERP application. The failure of this individual to notify the process owner that this 20 occurred adversely affected the company. Mr. Murphy visited this company in the form of a crashed and a corrupted database. Since the database had not been backed-up for nearly three te months, a tremendous amount of unproductive labor went into recreating that data. Most tu companies have already experienced problems when attempting to restore a backed-up sti application and finding out that the tape was corrupted, contained no data, only contained a partial back-up or was infected with viruses/malicious software. In NS Some elements to determine when creating SLAs within the topic may include: - Conceptual back-up documentation SA - Verification that the data on back-up is valid - Documentation of which server/applications are backed-up and the respective schedule © - Validation of restore through a regularly scheduled check - Designation of an off-site storage location and the pick-up/drop-off schedule - Designation of which back-ups contain company confidential or proprietary information - Explanation of the labeling scheme used by the IT teams to track back-ups - KeyDocumentation on how fingerprint = AF19 FA27to2F94 conduct 998Dback-ups and theF8B5 FDB5 DE3D restoration of back-ups 06E4 A169 4E46 - Anti-virus check prior to backing up Eric_Hansen_GSEC_Practical © SANS Institute 2000 - 2005 Author retains5full rights.
Eric Hansen GSEC_Practical_version 1.2F Conclusion The establishment of IS SLAs between the IT teams and the IS teams is necessary to assure the enterprise that proactive measures are implemented. This provides the IT teams with reasonable expectations and provides the IS teams with a definitive spot in the queue, other than last. s. ht rig full ins Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 eta rr ho A ut 5, 00 -2 00 20 te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Eric_Hansen_GSEC_Practical © SANS Institute 2000 - 2005 Author retains6full rights.
Eric Hansen GSEC_Practical_version 1.2F List of References Andress, Mandy. “Internal SLAs Benefit the Entire Company.” Infoworld. April 27, 2001 URL: http://www.infoworld.com/articles/tc/xml/01/04/30/010430tcintersla.xml (December 1, 2001) s. Bernard, Allen. “The SLAs They Are A’Changin.” ASPnews.com. July 27, 2001 URL: ht http://www.aspnews.com/trends/article/0,2350,9921_792841,00.html (December 1, 2001) rig Bolding, Jeb. “SLAs: Do They Hit the Mark?” Network World ASP Newsletter. July 16, 2001 ull URL: http://www.nwfusion.com/newsletters/asp/2001/00915560.html (December 1, 2001) f ins Cope, James. “12 Ways to a Better SLA.” COMPUTERWORLD. November 12, 2001 URL: Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 http://www.computerworld.com/storyba/0,4125,NAV47_STO65569,00.html (December 1, 2001) eta rr Koch, Christopher. “Put It In Writing.” CIO Magazine, November 15, 1998. URL: http://www.cio.com/archive/111598/sla.html (December 1, 2001) ho ut Lacerda, Cecinio Silva. “Service Level Agreement.” www.whatis.com August 6, 2001 URL: http://whatis.techtarget.com/definition/0,289893,sid9_gci213586,00.html (December 1, 2001) A 5, McAnally, Pat. “ERP and Business Continuity: What the Experts Won’t Tell You.” 00 www.disaster-resource.com -2 URL:http://www.disaster-resource.com/cgi-bin/article_search.cgi?id='21 (December 1, 2001) 00 Scalet, Sarah D. “Here Come the Lawyers.” CIO Magazine, November 8, 2001. URL: 20 http://www.cio.com/security/edit/a110801_legal.html (December 1, 2001) te Schroeder, Max. “A SLA Primer, Allen’s Law: Almost anything is easier to get into, than get out tu of.” Computer Telephony, March 5, 2001 sti URL: http://www.cconvergence.com/article/CTM20010216S0002 (December 1, 2001) In Wrobel, Leo A. “Components of a Successful LAN Disaster Recovery Plan.” www.disaster- NS resource.com URL: http://www.disaster-resource.com/cgi-bin/article_search.cgi?id='95' (December 1, 2001) SA Internet Security Systems – Internet Scanner Help Index – Version 6.1 www.iss.net © TrendMicro – OfficeScan, Server Protect and ScanMail product descriptions http://www.antivirus.com/products Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Eric_Hansen_GSEC_Practical © SANS Institute 2000 - 2005 Author retains7full rights.
Last Updated: February 12th, 2021 Upcoming Training SANS Secure Japan 2021 Virtual - Japan Standard Feb 22, 2021 - Mar 13, 2021 CyberCon Time, Japan SANS Scottsdale: Virtual Edition 2021 , Feb 22, 2021 - Feb 27, 2021 CyberCon Virtual - Greenwich SANS London February 2021 Mean Time, United Feb 22, 2021 - Feb 27, 2021 CyberCon Kingdom SANS Cyber Security East: March 2021 , Mar 01, 2021 - Mar 06, 2021 CyberCon Virtual - Singapore SANS Secure Asia Pacific 2021 Standard Time, Mar 08, 2021 - Mar 20, 2021 CyberCon Singapore SANS Secure Asia Pacific 2021 Singapore, Singapore Mar 08, 2021 - Mar 20, 2021 Live Event SANS Cyber Security West: March 2021 , Mar 15, 2021 - Mar 20, 2021 CyberCon Virtual - Gulf Standard SANS Riyadh March 2021 Time, Kingdom Of Saudi Mar 20, 2021 - Apr 01, 2021 CyberCon Arabia SANS 2021 , Mar 22, 2021 - Mar 27, 2021 CyberCon SANS Secure Australia 2021 Canberra, Australia Mar 22, 2021 - Mar 27, 2021 Live Event Virtual - Central SANS Munich March 2021 European Time, Mar 22, 2021 - Mar 27, 2021 CyberCon Germany Virtual - Australian SANS Secure Australia 2021 Live Online Eastern Daylight Time, Mar 22, 2021 - Mar 27, 2021 CyberCon Australia SANS Cyber Security Mountain: April 2021 , Apr 05, 2021 - Apr 10, 2021 CyberCon SANS London April 2021 Virtual - British Summer Apr 12, 2021 - Apr 17, 2021 CyberCon Time, United Kingdom SANS Autumn Australia 2021 Sydney, Australia Apr 12, 2021 - Apr 17, 2021 Live Event Virtual - Australian SANS Autumn Australia 2021 - Live Online Eastern Standard Time, Apr 12, 2021 - Apr 17, 2021 CyberCon Australia Virtual - Central SANS SEC401 (In Spanish) April 2021 European Summer Time, Apr 12, 2021 - Apr 23, 2021 CyberCon Spain SANS Cyber Security East: April 2021 , Apr 12, 2021 - Apr 17, 2021 CyberCon SANS Secure India 2021 Virtual - India Standard Apr 19, 2021 - Apr 24, 2021 CyberCon Time, India SANS Baltimore Spring: Virtual Edition 2021 , Apr 26, 2021 - May 01, 2021 CyberCon SANS Cyber Security Central: May 2021 , May 03, 2021 - May 08, 2021 CyberCon SANS Security West 2021 , May 10, 2021 - May 15, 2021 CyberCon Virtual - Central SANS Amsterdam May 2021 European Summer Time, May 17, 2021 - May 22, 2021 CyberCon Netherlands SANS Cyber Security East: May 2021 , May 17, 2021 - May 22, 2021 CyberCon Virtual - Central SANS Stockholm May 2021 European Summer Time, May 31, 2021 - Jun 05, 2021 CyberCon Sweden Virtual - Central SANS In French May 2021 European Summer Time, May 31, 2021 - Jun 05, 2021 CyberCon France SANS Cyber Security Central: June 2021 , Jun 07, 2021 - Jun 12, 2021 CyberCon Virtual - Central SANS Paris June 2021 European Summer Time, Jun 14, 2021 - Jun 19, 2021 CyberCon France
You can also read